b'   April 8, 2003\n\n\n\n\nInformation Technology\nManagement\n\nTransition From the Automatic\nDigital Network to the Defense\nMessage System\n(D-2003-075)\n\n\n\n\n               Department of Defense\n           Office of the Inspector General\nQuality               Integrity        Accountability\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Inspector\n  General of the Department of Defense at http://www.dodig.osd.mil/audit/reports or\n  contact the Secondary Reports Distribution Unit of the Audit Followup and\n  Technical Support Directorate at (703) 604-8937 (DSN 664-8937) or fax (703)\n  604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or fax (703)\n  604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                    Inspector General of the Department of Defense\n                          400 Army Navy Drive (Room 801)\n                              Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling (800)\n  424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or by\n  writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900. The\n  identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\n\nAUTODIN               Automatic Digital Network\nDCID                  Director of Central Intelligence Directive\nDISA                  Defense Information Systems Agency\nDMS                   Defense Message System\nDSA                   Directory System Agent\nEAM                   Emergency Action Message\nFCD                   Functional Content Document\nIC                    Intelligence Community\nJITC                  Joint Interoperability Test Command\nMAISRC                Major Automated Information System Review Council\nMROC                  Multicommand Required Operational Capability\nNIPRNET               Non-Secure Internet Protocol Router Network\nOASD(C3I)             Office of the Assistant Secretary of Defense (Command, Control,\n                         Communications, and Intelligence)\nSIPRNET               Secret Internet Protocol Router Network\nVPN                   Virtual Private Network\n\x0c\x0c         Office of the Inspector General of the Department of Defense\nReport No. D-2003-075                                                     April 8, 2003\n  (Project No. D2002LA-0109)\n\n             Transition From the Automatic Digital Network to\n                        the Defense Message System\n\n                               Executive Summary\n\nWho Should Read This Report and Why? This report should be read by personnel\ninvolved with managing the Defense Message System (DMS), as well as those who\nmanage the development of information technology systems. This report addresses DMS\nuser requirements and intelligence community directory security.\n\nBackground. The Automatic Digital Network (AUTODIN) was implemented in 1962 to\nprovide DoD secure and reliable messaging capability. However, after a study conducted\nin the late 1980s revealed that AUTODIN was costing in excess of $700 million per year\nto operate, a search for a replacement messaging system began. The Defense Information\nSystems Agency started developing DMS in 1988 to replace the messaging functions\nprovided by AUTODIN and other legacy electronic mail systems. In order to acquire the\nDMS products and services needed, the Air Force awarded a contract to Loral Federal\nSystems Company in 1995. As of September 30, 2002, DoD had expended about\n$9 billion in total program costs (FY 1990 through FY 2002) in support of DMS. Those\ncosts include investment costs of $2.29 billion, operations and support costs of\n$0.15 billion, and legacy (AUTODIN) phase-out costs of $6.65 billion. DMS is to be\nused by all DoD supporting agencies and users to satisfy organizational messaging needs.\nDMS Release 3.0, the final version, was fielded in June 2002 with an April 2003\noperational date and should meet all established user requirements except for emergency\naction messaging needs and the intelligence community requirements. DoD plans to\ncease using AUTODIN and close the DMS Transition Hubs by September 30, 2003.\n\nIn January 2002, the House Subcommittee on Military Readiness, Committee on Armed\nServices requested that the Inspector General of the Department of Defense provide an\nupdate to the IG DoD Report No. 98-150, \xe2\x80\x9cReadiness of the Defense Message System to\nReplace the Automatic Digital Network,\xe2\x80\x9d June 11, 1998. Specifically, the audit was to\nreview and evaluate the development, fielding, and cost of DMS.\n\nResults. Although DMS Release 2.2 did not meet all user and security requirements,\nDMS Release 3.0 and proposed alternatives to meet intelligence community requirements\nshould satisfy all Multicommand Required Operational Capability and security\nrequirements. Although DMS Release 3.0 should satisfy all Multicommand Required\nOperational Capability requirements, DMS Release 2.2 did not meet all user\nrequirements, such as message delivery, non-delivery notices, and directory information,\nand was not widely used. Because of inadequate guidance and oversight, DMS\nimplementation was not on schedule and planned savings of $453 million had not been\nrealized. However, in order to move forward, DMS Release 3.0 should be allowed to\noperate, and given appropriate support, for a reasonable amount of time to determine\nwhether it can meet user requirements. If DMS does not meet user requirements, then a\n\x0csurvey should be conducted and a working group established to develop a solution to\nsatisfy user requirements (finding A).\n\nDMS Release 3.0 does not satisfy intelligence community requirements for directory\nsecurity. As a result, the intelligence community may not have a secure permanent\nmessaging system available to meet its requirements by the DMS Transition Hub closure\ndate of September 30, 2003. Because the Defense Information Systems Agency and the\nintelligence community have agreed on a solution to address the directory security\nrequirements, this report makes no recommendations (finding B).\n\nManagement Comments. A draft of this report was issued on March 14, 2003. The\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\ndid not provide comments and comments from the Director, Joint Staff were received too\nlate to be considered in preparing the final report. Therefore, we request that the\nAssistant Secretary of Defense provide comments by May 8, 2003. If the Director, Joint\nStaff does not submit additional comments by May 8, 2003, we will consider the\ncomments received as the response to the final report.\n\n\n\n\n                                           ii\n\x0cTable of Contents\n\nExecutive Summary                                                        i\n\nBackground                                                              1\n\nObjectives                                                              3\n\nFindings\n     A. Defense Message System Status                                    4\n     B. Intelligence Community Directory Security                       13\n\nAppendixes\n     A. Scope and Methodology                                           19\n         Prior Coverage                                                 20\n     B. Congressional Request                                           21\n     C. DMS Multicommand Required Operational Capability Requirements   22\n     D. Report Distribution                                             23\n\x0cBackground\n           In January 2002, the Chairman of the House Subcommittee on Military\n           Readiness, Committee on Armed Services requested that the Inspector General of\n           the Department of Defense provide an update to the IG DoD Report No. 98-150,\n           \xe2\x80\x9cReadiness of the Defense Message System to Replace the Automatic Digital\n           Network,\xe2\x80\x9d June 11, 1998 (see Appendix B).\n\n           Automatic Digital Network. AUTODIN was developed as a messaging network\n           in the late 1950s with initial implementation in 1962. AUTODIN was to provide\n           DoD secure and reliable transmission of organizational messages. A study\n           conducted in the late 1980s revealed that AUTODIN was costing in excess of\n           $700 million per year to operate. As a result, the Defense Information Systems\n           Agency (DISA) started developing DMS in 1988 to replace the messaging\n           functions provided by AUTODIN and other legacy electronic mail (e-mail)\n           systems. In order to acquire the DMS products and services needed, the Air\n           Force awarded a contract to Loral Federal Systems Company1 in 1995. The\n           contract had a 2-year base period and six option years, with an estimated value of\n           $1.7 billion (total value over the 8-year period). Option Period Six of the contract\n           extended the performance period from May 1, 2002, through April 30, 2003.\n           DoD planned to cease use of AUTODIN by September 30, 2003. The DMS\n           Transition Hubs that allow DoD Components to transmit messages using\n           AUTODIN are scheduled for closure on that date.\n\n           Defense Message System. DMS is a messaging mail system based on\n           commercial off-the-shelf software that provides a flexible messaging capability.\n           DMS was designed to perform multimedia messaging (for example, text and\n           graphics) and directory services. Directory services provide a means to locate\n           computer systems, files, individuals, and e-mail addresses and to perform other\n           lookup requirements. DMS takes advantage of the underlying Defense\n           information infrastructure and security services. DMS provides access to\n           messaging services for all DoD users worldwide (including deployed tactical\n           users) as well as an interface to other U.S. Government agencies, allies, and\n           Defense contractors. DMS relies on current and emerging technological\n           capabilities to provide secure organization-to-organization and individual\n           messaging services. DMS is also intended to have the capability of handling all\n           classification levels of information, from Unclassified to Top Secret, including\n           classification levels used by the intelligence community (IC).2 Before fielding a\n           DMS release, the Joint Interoperability Test Command (JITC) tests it for\n           operability. Although DMS Release 3.0 was fielded in June 2002 (with an\n           operational date of April 2003), as of November 2002, DMS Release 2.2 was the\n           most current version in use. DMS is expected to reach full operational capability\n           by FY 2008 through a series of software releases. DMS Release 3.0 is expected\n           to satisfy Multicommand Required Operational Capability (MROC) requirements\n           (listed in Appendix C).\n1\n    Loral Federal Systems Company was acquired by Lockheed Martin Corporation in April 1996.\n2\n    The IC comprises 14 Government agencies and organizations, including the Central Intelligence Agency,\n    the Defense Intelligence Agency, the Federal Bureau of Investigation, and the National Security Agency,\n    which carry out the intelligence activities of the U.S. Government.\n\n\n\n                                                      1\n\x0c           Roles and Responsibilities. The key players in the implementation of DMS are\n           the Office of the Assistant Secretary of Defense (Command, Control,\n           Communications, and Intelligence) (OASD[C3I]), the Joint Staff, DISA, and the\n           Services.\n\n           OASD(C3I) is the designated milestone decision authority for DMS and is\n           responsible for providing programmatic policy and acquisition guidance and\n           oversight for DMS. The Joint Staff is responsible for reviewing DMS actions for\n           consistency with validated requirements; ensuring adequate coordination with and\n           validating requirements from the combatant commands and the Services; and\n           providing joint doctrine as required. DISA is responsible for maintaining\n           oversight of DMS acquisition; providing overall operational management and\n           control of DMS; ensuring Joint Staff-validated requirements are met; and\n           coordinating DoD-wide implementation of DMS. The responsibilities of the\n           Services include maintaining aggressive program management during the\n           implementation of DMS; ensuring that the transition planning and AUTODIN\n           phase-out planning3 are up-to-date, executed on schedule, and consistent with\n           overall program milestones; providing operational support for the management of\n           assigned DMS components in accordance with approved DMS operational policy\n           and procedures; and maintaining adequate training in accordance with the DMS\n           training plan.\n\n           The Services and the Defense agencies reached a consensus in 1989 to modernize\n           DoD messaging by replacing the legacy message systems with DMS. To\n           accomplish the modernization of DoD messaging, DISA and the Military\n           Departments established DMS program management offices. An agreement\n           reached between DISA and the Military Departments stipulated that DISA would\n           provide all required infrastructure and software products and that the cost of\n           fielding the hardware products would be shared. The Military Departments and\n           the Defense agencies would be responsible for DMS implementation throughout\n           their respective organizations.\n\n           Messaging Requirements. In 1989, the Joint Staff validated MROC 3-88, which\n           outlined the requirements to be met by DMS. In 1994, DISA developed and the\n           Joint Staff approved change 1 to the \xe2\x80\x9cRequired Operational Messaging\n           Characteristics,\xe2\x80\x9d April 15, 1994, that contained more detailed requirements to be\n           met by DMS. In 1997, those requirements were incorporated into MROC 3-88,\n           Change 2 (hereafter referred to as MROC). The MROC serves as the\n           requirements basis for all DMS projects and components, including the Target\n           Architecture and Implementation Strategy, the Concept of Operations, and Allied\n           Communication Publication 1234 being developed with the support of the\n           Military Communications-Electronics Board.\n\n           DMS comprises the hardware, software, procedures, personnel, and facilities\n           required for the electronic delivery of messages between the Services and Defense\n           agencies and for interfaces to the messaging systems of allies and Defense\n           contractors. OASD(C3I) designated DMS as the messaging system to be used for\n3\n    AUTODIN phase-out planning is the process or plan of action for closure of the DMS Transition Hubs.\n4\n    Allied Communication Publication 123, \xe2\x80\x9cCommon Messaging Strategy and Procedures,\xe2\x80\x9d August 15,\n    1997, defines the services, protocol, and procedures to support electronic messaging.\n\n\n\n                                                     2\n\x0c           DoD and its supporting agencies, thereby initiating the migration from\n           AUTODIN and other legacy message systems to DMS. DISA provided the DMS\n           infrastructure and fielded software in January 1998 with DMS Release 1.1. DMS\n           Release 2.2 was fielded in April 2001. Each release provided enhanced\n           capabilities. DISA fielded DMS Release 3.0 in June 2002 with a scheduled\n           operational date of April 2003.\n\n           Acquisition Strategy. The DMS Program was designated as a Major Automated\n           Information System Review Council (MAISRC) acquisition category IA5\n           program in March 1994. In July 1998, the MAISRC was disestablished and the\n           Information Technology Overarching Integrated Product Team assumed\n           responsibility for the management oversight of the DMS Program. Milestones set\n           by the MAISRC dictated that DMS be acquired using an evolutionary acquisition6\n           approach and be implemented progressively, through a series of DMS releases,\n           with the transition from AUTODIN to DMS first, followed by the capability to\n           provide \xe2\x80\x9cunclassified-but-sensitive\xe2\x80\x9d messaging and then classified messaging.\n           The full range of DMS operational capabilities would be achieved through\n           coordinated product releases. Each release is focused on a critical aspect of DMS\n           and updates earlier releases that results in enhanced capabilities as part of an\n           integrated system. The fielding of each new release was dependent upon the\n           successful completion of operational testing by JITC.\n\n           Cost. As of September 30, 2002, DoD had expended about $9 billion in total\n           program costs (FY 1990 through FY 2002) in support of DMS. Those costs\n           include investment costs of $2.29 billion, operations and support costs of\n           $0.15 billion, and legacy (AUTODIN) phase-out costs of $6.65 billion. In 1998,\n           DoD had envisioned that DMS would save $453 million by shutting down\n           AUTODIN in December 1999. A decrease in original legacy phase-out cost\n           estimates and an increase in DMS cost estimates, as well DoD not meeting the\n           December 1999 deadline, led to a negative return on investment of $266 million\n           over the life of the DMS program (through FY 2013).\n\n\nObjectives\n           Our overall audit objective was to determine whether DMS can replace critical\n           AUTODIN messaging capabilities. Specifically, the audit reviewed and\n           evaluated the development, fielding, and cost of DMS. We did not evaluate\n           management controls because the audit was limited to a review of whether DMS\n           as fielded could meet the requirements of users. See Appendix A for a discussion\n           of the scope and methodology and for prior coverage related to the overall\n           objective.\n\n5\n    An acquisition category IA program is a Major Automated Information System designated by\n    OASD(C3I) as an automated information system acquisition program. Also, the acquisition program is\n    estimated to require program costs in any single year in excess of $25 million, total program costs in\n    excess of $100 million, or total life-cycle costs in excess of $300 million in FY 1990 constant dollars.\n6\n    Evolutionary acquisition is an approach that fields an operationally useful and supportable capability in as\n    short as time as possible. It delivers an initial capability with an explicit intent of delivering improved or\n    updated capability in the future.\n\n\n\n                                                         3\n\x0c           A. Defense Message System Status\n           Although DMS Release 3.0 should satisfy all MROC requirements, DMS\n           Release 2.2 did not meet all user requirements and was not widely used\n           because the system was fielded incrementally and OASD(C3I) and the\n           Joint Staff did not provide adequate guidance and oversight of the DMS\n           Program. As a result, DMS may not be able to replace the critical\n           AUTODIN emergency action messaging capability by September 30,\n           2003, the date DoD plans to cease using AUTODIN and close the DMS\n           Transition Hubs. In addition, DMS was not on schedule and planned\n           savings of $453 million had not been realized.\n\n\nDMS Multicommand Required Operational Capability\n    According to the DISA DMS program manager, the results of independent\n    operational assessments and tests by JITC for DMS Releases 1.0 through 3.0\n    indicate that DMS Release 3.0, scheduled to be operational by April 2003, should\n    satisfy all MROC requirements. DMS was required to meet requirements in\n    12 areas, listed in Appendix C. Although DMS Release 3.0 was fielded in\n    June 2002, with an operational date of April 2003, as of November 2002, DMS\n    Release 2.2 was the most current version in use. The MROC sets forth DMS\n    messaging requirements for DoD.\n\n    DMS Release 2.2 users in operational environments in the European and Pacific\n    theaters encountered problems with message delivery, non-delivery notices, and\n    the directory while operating DMS Release 2.2. In addition, JITC conducted\n    operational assessments or tests of DMS to determine the extent to which each\n    DMS release was operationally effective and operationally suitable to support\n    DoD organizational messaging requirements. Those assessments or tests revealed\n    that DMS Release 2.2 did not meet MROC requirements for\n    confidentiality/security, integrity, and availability/reliability. Lastly, DMS did\n    not support strategic messaging requirements, specifically emergency action\n    messages (EAMs).\n\n\nDMS Performance\n    This section discusses the performance of DMS, including concerns of users in\n    the European and Pacific theaters about message delivery, the directory, and\n    emergency action messaging in operational environments.\n\n    Message Delivery and Non-Delivery Notices. A JITC operational assessment\n    showed that DMS Release 2.2 was unable to provide the capability to trace\n    messages from the writer to the reader (message delivery). In addition to DMS\n    Release 2.2 not meeting the MROC requirement for message delivery, DMS users\n    experienced problems with non-delivery notices.\n\n\n\n\n                                        4\n\x0c           DMS users experienced a high number of non-delivery notices. The MROC\n           states that DMS must deliver messages to intended recipients with a high degree\n           of certainty. To measure the performance of DMS, DISA established a threshold\n           of 3 percent for non-delivery of messages. DISA monitored message delivery\n           performance on a monthly basis and reported that during the month of\n           August 2002 DISA and the Services sent out 266,421 messages and received non-\n           delivery notices for 18,958 (7 percent) of the messages, more than double the\n           DISA-established acceptable rate. The Services encountered non-delivery notice\n           rates ranging from 5.5 percent to 11 percent for the period of April through\n           July 2002. During that 4-month period the percent of messages not delivered,\n           generating a non-delivery notice, increased from 7.9 percent to 8.1 percent for the\n           Army, from 6 percent to 9 percent for the Air Force, and from 8.9 percent to\n           11 percent for the Marine Corps. Navy non-delivery notices decreased from\n           8 percent to 6.1 percent during the same period. Each of the Services experienced\n           non-delivery rates above the established 3 percent threshold. The non-delivery\n           notices occurred because of expired, incorrect, or invalid addresses; misrouting of\n           messages in the DMS backbone;7 or improperly configured DMS components and\n           profiles. DMS non-delivery notices did not provide an explanation as to why the\n           message did not go through or provide a solution to correct the problem. Non-\n           delivery notices required the sender to do additional followup work to ensure that\n           the information was received by the intended organization. In addition, message\n           originators did not know whether messages reached their intended recipients.\n\n           We conducted panel discussions with groups of DMS users at organizations in the\n           European and Pacific theaters. Personnel at those panel discussions provided us\n           details of their message delivery problems.\n\n                   Army. Army personnel at panel discussions in the European and Pacific\n           theaters stated that they experienced problems with non-delivery notices and\n           message delivery. In the European theater, Army users stated that non-delivery\n           notices did not clearly explain why the message did not go through, offer\n           suggestions for correction, or provide any detailed information about the problem.\n           In the Pacific theater, personnel at the U.S. Army Pacific, Command Center,\n           stated that the majority of their delivery problems dealt with receiving delivery\n           confirmation notices on DMS messages that they had sent but later discovering\n           the messages had not reached the intended recipients.\n\n                   Navy. Panel discussions with Navy personnel in the European and Pacific\n           theaters revealed that Navy DMS users experienced problems with message\n           delivery. For example, an official at a transportation office in Europe and a Fleet\n           Industrial Support Center official in the Pacific theater stated that DMS messages\n           were not always delivered to their customers. As a result, they used the Secret\n           Internet Protocol Router Network (SIPRNET)8 to meet part of their messaging\n           needs. Personnel from the Naval Pacific Meteorology and Oceanography\n           Facility, which provides weather information to ships and pilots, stated that they\n           experienced instances where weather condition messages did not reach the\n           facility\xe2\x80\x99s customers.\n7\n    The Defense Information Systems Network is the worldwide backbone router system for the Defense\n    information infrastructure.\n8\n    The SIPRNET is the Secret portion of the Defense Information Systems Network.\n\n\n\n                                                    5\n\x0c                    Air Force. Air Force personnel in the European and Pacific theaters\n            experienced problems with non-delivery notices and message delivery. Panel\n            discussions with Air Force DMS users in the European theater identified that the\n            Air Force Air Mobility Operations Control Center (the Control Center), located at\n            Ramstein Air Force Base, Germany, could not routinely determine from non-\n            delivery notices which recipient had not received a message, or how to correct the\n            problem. An official in the Control Center stated that about one-third of the DMS\n            messages sent did not reach their destinations. The Control Center is responsible\n            for planning, scheduling, tasking, and executing theater air mobility. When\n            executing Joint missions, it is imperative that Control Center messages reach their\n            intended destinations in a timely manner. Panel discussions with DMS users in\n            the Pacific theater identified that the Pacific Operations Support Command (the\n            Support Command), located at Hickam Air Force Base, Hawaii, also experienced\n            problems with high-importance DMS messages not reaching their destinations.\n            The Support Command is responsible for command and control of the nine air\n            wings within the Pacific theater and must have assured means of communications.\n            Some of the non-delivery notices the Support Command received were for\n            messages sent to airfields; however, the non-delivery notices did not provide an\n            explanation as to why the messages did not go through. Many of those locations\n            were not DMS-capable and required that the messages be transmitted by\n            AUTODIN or secure fax. The Support Command allocated additional time to\n            complete followup calls to all locations to determine which locations received the\n            messages, and then find an alternative way to transmit to those that had not\n            received the messages.\n\n            Overall, to ensure that messages would be delivered to intended recipients, DMS\n            Release 2.2 users relied on other means, including AUTODIN, non-DMS e-mail,\n            facsimile transmissions, the Global Command and Control System,9 the Joint\n            Operation Planning and Execution System,10 the Non-Secure Internet Protocol\n            Router Network (NIPRNET),11 and the SIPRNET.\n\n            Directory. DMS Release 2.2 users in both the European and Pacific theaters\n            found that navigating the directory system was a time-consuming and daunting\n            task. The directory system within DMS stores recipients\xe2\x80\x99 addresses,\n            security-related information, and information necessary to provide organizational\n            and individual messaging on a global basis. The DMS directory system stores\n            information in a distributed, hierarchical structure known as the Directory\n            Information Tree. The Directory Information Tree structure was not standardized\n            among and within the Services, making it extremely difficult to navigate making\n            tasks such as finding DMS addresses time consuming. The absence of a\n            standardized structure for information in the DMS directory required users to be\n            familiar with the naming convention used by each organization to establish its\n            directory in order to find addresses in a timely manner. Master Key Plus, a DMS\n            tool used to find DMS organizational addresses and store those addresses in user\n            contact lists, was available for DMS Release 2.2; however, the user had to\n\n9\n    The DoD computerized system of record for strategic command and control functions.\n10\n      An integrated, joint conventional command and control system used by senior-level decision makers and\n     their staffs to plan and conduct joint military operations.\n11\n     The NIPRNET is the non-secure, common-user portion of the Defense Information Systems Network.\n\n\n\n                                                      6\n\x0c           download Master Key Plus software. Master Key Plus is included in DMS\n           Release 3.0 and should meet user needs.\n\n           JITC Assessments of DMS. According to the results of operational tests or\n           assessments conducted by JITC, DMS Release 2.2 did not fully meet four of the\n           12 MROC requirements. A complete list of all 12 MROC requirements is listed\n           in Appendix C.\n\n                   Confidentiality/Security. A JITC operational assessment showed that\n           DMS Release 2.2 was unable to provide the capability to process and protect all\n           unclassified, classified, and sensitive messages at their appropriate security levels.\n           That capability includes writer-to-reader message confidentiality; support for\n           appropriate message security levels and markings; and authentication, access\n           management, and access control using approved security mechanisms. However,\n           according to another JITC operational assessment, DMS Release 3.0 should\n           satisfy the MROC requirement.\n\n                   Message Delivery. A JITC operational assessment showed that DMS\n           Release 2.2 was unable to deliver messages to the intended recipients with a high\n           degree of certainty. The system was not able to provide traceability from writer\n           to reader. However, according to another JITC operational assessment, DMS\n           Release 3.0 should satisfy the MROC requirement.\n\n                   Integrity. A JITC operational assessment showed that DMS Release 2.2\n           was unable to provide system-level safeguards against accidental, unauthorized,\n           or malicious actions that could result in the alteration of security protection\n           mechanisms, security classification levels, addressing or routing information, and\n           audit information. However, according to another JITC operational assessment,\n           DMS Release 3.0 should satisfy the MROC requirement.\n\n                   Availability/Reliability. A JITC operational assessment showed that\n           DMS Release 2.2 was unable to provide the appropriate safeguards to protect the\n           system from accidental, unauthorized, or hostile actions, resulting in the inability\n           to use system services. However, according to another JITC operational\n           assessment, DMS Release 3.0 should satisfy the MROC requirement.\n           DMS Support of Emergency Action Messages (EAMs). According to DISA\n           and the U.S. Strategic Command, located at Offutt Air Force Base, Nebraska,\n           DMS cannot support all strategic messaging requirements, such as EAMs.12 The\n           inability of DMS to support EAMs was identified as a potential problem in 1997\n           when an analysis indicated that DMS could not fully support the dissemination of\n           EAMs in accordance with Chairman of the Joint Chiefs of Staff\n           Instructions 5119.0113 and 6811.01, \xe2\x80\x9cNuclear Command and Control System\n\n12\n      Previously reported in the Office of the Inspector General of the Department of Defense Report\n     No. 98-150, \xe2\x80\x9cReadiness of the Defense Message System to Replace the Automatic Digital Network,\xe2\x80\x9d\n     June 11, 1998.\n13\n  Chairman of the Joint Chiefs of Staff Instruction 5119.01, dated December 5, 1994, was canceled June 9,\n 2000, and replaced by Chairman of the Joint Chiefs of Staff Instruction 5119.0 1A, \xe2\x80\x9cCharter for the\n Centralized Direction, Management, Operation, and Technical Support of the Nuclear Command,\n Control, and Communication System,\xe2\x80\x9d June 9, 2000.\n\n\n\n                                                     7\n\x0c    Technical Performance Criteria,\xe2\x80\x9d January 10, 1994. In September 1997, the Joint\n    Staff acknowledged that DMS would not fully support the requirement to\n    disseminate EAMs formerly satisfied by AUTODIN.\n\n    Extensive efforts to address the issue culminated in the development of an interim\n    plan to use the DMS Transition Hubs until another solution was determined. The\n    1999 Defense Planning Guidance directed the Joint Staff to lead a Nuclear\n    Command, Control, and Communications Integrated Product Team to identify\n    requirements; develop a concept of operations; and prototype, implement, and test\n    a second interim solution, the hybrid solution, for disseminating EAMs before the\n    DMS Transition Hub closure date. The Military Communications-Electronics\n    Board (the Board) granted the formal endorsement of the EAM Hybrid Interim\n    Solution on November 29, 2000. In June 2001, the Board established an EAM\n    Board of Directors to test and monitor the EAM Hybrid Interim Solution\xe2\x80\x99s\n    progress and address any unresolved issues. In addition, the EAM Board of\n    Directors will monitor the development of a long-term follow-on solution.\n\n    Problem Resolution. The problems DMS users experienced with message\n    delivery, non-delivery notices, and the Directory Information Tree were not\n    significant. With appropriate guidance, experience, and the issuance of Master\n    Key Plus with DMS Release 3.0, those problems should be resolved. DMS\n    Release 3.0 should satisfy all of the MROC requirements, including those only\n    partly met by DMS Release 2.2. In addition, EAM support was being addressed\n    by both short-term and long-term resolutions.\n\n    Limited Use of DMS. DMS implementation did not appear to be a priority at\n    most sites visited in the European and Pacific theaters. Site visits revealed that\n    some users had not received any formal training on the system, did not understand\n    the intent of the system, or why or when to use DMS. At the sites, units had DMS\n    installed but personnel had not been trained on it or its application. Overall, not\n    only was DMS not widely used, it had also developed a negative reputation due to\n    the lack of the system\xe2\x80\x99s original capabilities and a lack of user training and\n    education on the system.\n\n    Resolution of User Concerns. According to the results of a JITC assessment, the\n    message delivery and the directory problems encountered by DMS users in the\n    European and Pacific theaters should be resolved when DMS Release 3.0 is put\n    into use in April 2003. Once DMS Release 3.0 is put into use and allowed to\n    operate for a reasonable amount of time, users should be surveyed to determine\n    whether DMS Release 3.0 meets all user and MROC requirements. If required, a\n    working group should be established to develop a solution to satisfy user\n    requirements.\n\n\nDMS Fielding and Program Oversight\n    DMS Release 2.2 did not meet user needs and was not widely used because DMS\n    was fielded incrementally and OASD(C3I) and the Joint Staff did not provide\n    adequate guidance or oversight of the DMS Program.\n\n\n\n                                         8\n\x0cIncremental Fielding. DoD users encountered problems because DMS was\nfielded before it was mature enough to fully support user needs. DMS\nReleases 1.0 and 2.1, although tested before fielding, lacked the capability to\nsupport most units\xe2\x80\x99 basic missions; therefore, the combatant commands and the\nServices did not mandate that subordinate units use DMS. As a result, the\nimplementation of the system may have been adversely affected by incrementally\nfielding DMS.\n\nAdequacy of Guidance and Oversight. OASD(C3I) did not provide adequate\nguidance and oversight for the implementation and usage of DMS. DMS was not\nwidely used among operational units in the European and Pacific theaters because\nof incremental implementation; poor measurement criteria; and insufficient\ncommand emphasis requiring use of DMS once fielded. The Joint Staff needs to\nensure that the Services provide sufficient command emphasis on the DMS\nProgram.\n\n       Incremental Implementation. The DMS Product Plan (Version 3.03),\ndated August 20, 1999, envisioned an organizational messaging transition from\nAUTODIN to DMS by the end of December 1999. However, DMS site\nimplementation problems prevented that goal from coming to fruition. A\nDecember 28, 1999, memorandum from OASD(C3I) stated, \xe2\x80\x9coperational issues\nwarrant a re-look at the overall AUTODIN to DMS transition plan.\xe2\x80\x9d The\nmemorandum goes on to state:\n          It\xe2\x80\x99s now clear some of the CINCs [commanders in chief, now referred\n          to as combatant commanders], Services, and DoD Agencies are unable\n          to meet [the established] deadline. While many DMS organizational\n          accounts should be functional by December 1999, DMS integration\n          into operational business practices will not be sufficiently mature to\n          replace AUTODIN for organizational messaging.\n\nSite implementation processes continued to be a problem for later DMS releases.\nA July 1, 2002, memorandum from OASD(C3I) states:\n          Site implementation processes and procedures, including training, were\n          identified in the OT [operational test] as needing improvement. DISA,\n          in coordination with the Services, shall re-examine the OT results to\n          identify common site implementation problems and determine if\n          adjustment to the DMS site implementation guidance is required.\n\nAs cited above, OASD(C3I) recognized that improvements to the site\nimplementation guidance were required. We believe OASD(C3I) should monitor\nDMS site implementation processes and procedures to ensure that DMS is\nimplemented in the combatant commands and Services in the most efficient and\neffective manner.\n\n        Measurement of DMS Usage. On December 28, 1999, OASD(C3I)\nissued a revised transition plan. The plan focused on increasing DMS use by\nmonitoring the transition progress in a DISA monthly report. The revised\ntransition plan also established a deadline of September 15, 2000, for all\norganizational accounts of combatant commands, Services, and Defense agencies\nto be operational (no longer sending AUTODIN messages) and all of the general\n\n\n                                       9\n\x0c            service message traffic to be transitioned to DMS. However, the measurement\n            criteria used in the plan was not quantifiable enough to determine whether the\n            users were fully using the system\xe2\x80\x99s capabilities to support their mission\n            requirements.\n\n                            Operational Versus Functional Use of DMS. The revised\n            transition plan established the terms \xe2\x80\x9cFunctional\xe2\x80\x9d and \xe2\x80\x9cOperational\xe2\x80\x9d14 to\n            distinguish whether units had completed the transition from AUTODIN to DMS.\n            However, use of those terms did not mean a unit actually used DMS. Units could\n            have DMS capability (functional) and stop using AUTODIN (operational)\n            without using DMS to meet their messaging needs by using other systems instead\n            of DMS. For example, users in both the European and Pacific theaters stated their\n            units were DMS functional and operational even though they only used DMS to\n            send test messages. Other units in the Pacific theater reported being DMS\n            functional and operational even though personnel in those units did not know\n            which computer contained the DMS software. Personnel at those units stated that\n            the majority of their message traffic was sent using other systems, such as non-\n            DMS e-mail, facsimile transmissions, the Global Command and Control System,\n            the Joint Operation Planning and Execution System, NIPRNET, and SIPRNET.\n            OASD(C3I) and Joint Staff guidance should have mandated DMS usage after\n            implementation.\n\n                            Revised Measurement of DMS Usage. On April 12, 2001,\n            OASD(C3I) issued another revision to the transition plan that established new\n            milestones, modified the definition of operational, and provided additional clarity\n            regarding the applicability of DMS15 and the use of non-DMS means to support\n            organizational messaging. The guidance also stated that non-DMS means of\n            supporting organizational messaging would only be considered for approval if\n            DMS could not support validated user requirements. However, the revised\n            transition plan did not establish a method to verify the usage of DMS in an\n            operational environment. We believe that OASD(C3I) should direct that each site\n            conduct a message traffic analysis to determine whether key organizational\n            messages, such as those related to budgeting, command position, and troop\n            movement, were sent on DMS.\n\n                    Command Emphasis. The Joint Staff did not provide adequate guidance\n            and oversight to ensure that the Services provided command emphasis on the\n            DMS Program. A Joint Staff official recognized that additional emphasis was\n            required from the Joint Staff and the Services to get the system fully operational.\n            Despite having already missed two DoD-mandated deadlines, several units in the\n            European and Pacific theaters were not prepared to fully transition to DMS. The\n            Army Chief Information Officer stated in a May 31, 2002, message to Army users\n            that there was concern that the transition from AUTODIN to DMS was again not\n            occurring at a rate to \xe2\x80\x9cmeet AUTODIN closure.\xe2\x80\x9d He stated that the Army\n            program manager for DMS needed commanders\xe2\x80\x99 help and assistance to ensure\n            that Army commands were ready to meet the DoD deadline. In order to provide\n14\n Functional was defined as when a unit had the ability to send and receive signed and encrypted DMS\n messages. Operational was defined as when a unit was no longer sending AUTODIN messages.\n15\n      Under the modified definition of \xe2\x80\x9coperational,\xe2\x80\x9d an account was operational when all of the\n     organization\xe2\x80\x99s messages were released from, and received at its DMS organizational account.\n\n\n\n                                                      10\n\x0c    emphasis on DMS, the Chief Information Officer established an Army deadline\n    for Army-wide organizational messaging to be fully transitioned to DMS by\n    March 1, 2003. As of March 5, 2003, that deadline had not been met.\n\n    The Air Force experienced similar problems. Despite monthly reports from the\n    European and Pacific theaters that more than 95 percent of all organizational\n    accounts were both operational and functional, Air Force units we visited in those\n    theaters did not use DMS for all of their messaging needs and users had limited\n    knowledge of the intent of the system. We believe that increased command\n    emphasis by the Joint Staff and the Services on the benefits of DMS would have\n    allowed users to understand the system better and the users would, in turn, have\n    used DMS more.\n\n\nImpact on DMS Use\n    Although DMS Release 3.0 should satisfy all MROC requirements, it may not be\n    able to replace the critical AUTODIN emergency action messaging capability by\n    September 30, 2003, the closure of the DMS Transition Hubs. DoD has expended\n    more than 13 years of effort and spent about $9 billion in total program costs on\n    DMS and legacy systems. In addition, DoD will not be able to realize the initial\n    planned savings of $453 million. Instead, it will incur a negative return on\n    investment of at least $266 million for general service messaging capabilities over\n    the life of the DMS Program through FY 2013. Lastly, according to a DISA\n    official, the DMS Program plans additional expenditures of almost $5 billion.\n    The planned expenditures consist of investment costs, operations and support\n    costs, and legacy phase-out costs through FY 2013.\n\n\nRecommendations\n    A.1. We recommend that the Assistant Secretary of Defense (Command, Control,\n    Communications, and Intelligence):\n           a. Resolve user problems with message delivery, non-delivery notices,\n    and the Directory Information Tree.\n\n           b. Allow Defense Message System Release 3.0 to operate for a reasonable\n    amount of time after the closure of the Defense Message System Transition Hubs\n    on September 30, 2003, to validate whether the Defense Message System can\n    meet all Multicommand Required Operational Capability and user requirements.\n\n            c. If the Defense Message System does not meet user requirements,\n    conduct a survey to identify messaging requirements that are not being met and\n    establish a working group to develop a solution to satisfy user requirements.\n\n          d. Direct that each site conduct a message traffic analysis to determine\n    whether key organizational messages, such as those related to budgeting,\n    command position, and troop movement, are being sent on DMS.\n\n\n                                        11\n\x0c    A.2. We recommend that the Director, Joint Staff issue policy and guidance\n    requiring the combatant commands, the Services, and the DoD agencies to:\n\n          a. Conduct a message traffic analysis to determine how the Defense\n    Message System can best support organizational messaging needs.\n\n          b. Use the Defense Message System to satisfy those organizational\n    messaging needs identified in Recommendation A.2.a. after its implementation.\n\n           c. Ensure that the Services provide command emphasis on the Defense\n    Message System Program, to include explaining the intent and nature of\n    operations of the system and educating users on the benefits of the system.\n\n\nManagement Comments Required\n    The Assistant Secretary of Defense (Command, Control, Communications, and\n    Intelligence) did not provide comments and comments from the Director, Joint\n    Staff were received too late to be considered in preparing the final report.\n    Therefore, we request that the Assistant Secretary of Defense provide comments\n    in response to the final report. If the Director, Joint Staff does not submit\n    additional comments, we will consider the comments received as the response to\n    the final report.\n\n\n\n\n                                       12\n\x0c            B. Intelligence Community Directory\n               Security\n            DMS Release 3.0 does not satisfy IC requirements for directory security\n            because DISA was not able to develop a directory architecture that met\n            critical IC directory security requirements. As a result, the IC may not\n            have a secure permanent messaging system available to meet its\n            requirements by September 30, 2003.\n\n\nCriteria\n     IC Requirements. The overall IC DMS requirements were first published in\n     \xe2\x80\x9cIntelligence Community Defense Message (DMS) Requirements, Version 1.1,\xe2\x80\x9d\n     April 29, 1998. In addition, a list of IC Priority 1 requirements were published in\n     the \xe2\x80\x9cIntelligence Community (IC) Requirements & Analysis Report\xe2\x80\x9d (the\n     Analysis Report), July 15, 1998, and later in the \xe2\x80\x9cDMS Release 3.0 IC Priority 1\n     Requirements Implementation Matrix,\xe2\x80\x9d January 7, 2000. Priority 1 requirements\n     are those designated by the IC as most critical, including directory security\n     requirements, which must be met before the IC will implement DMS.\n\n     Director of Central Intelligence Directive (DCID). DCID 6/3, \xe2\x80\x9cProtecting of\n     Sensitive Compartmented Information within Information Systems,\xe2\x80\x9d June 5,\n     1999, sets out the security policies and requirements for information systems in\n     the IC. DMS directory security must comply with the provisions of DCID 6/3 in\n     order to successfully satisfy IC requirements. On June 26, 2002, OASD(C3I)\n     determined that DCID 6/3 should be used as the standard to ensure IC DMS\n     directory security requirements are met.\n\n     According to the Directory Security Functional Content Document (FCD), \xe2\x80\x9cDMS\n     Release 3.0 Directory Security: Consolidated General Service/IC DMS Directory\n     Security Requirements (DCID 6/3 extract),\xe2\x80\x9d October 25, 2002, the DMS\n     Release 3.0 directory does not meet 10 of the DCID 6/3 requirements regarding\n     directory security. The DISA DMS Program Management Office and Lockheed\n     Martin Corporation prepared the FCD to document the problems with directory\n     security. Table 1 lists the 10 unmet DCID 6/3 requirements identified by the\n     FCD.\n\n\n\n\n                                         13\n\x0c            Table 1. Unmet DCID 6/3 Directory Security Requirements\n         DCID 6/3\n        Requirement                                    Description\n\n    1   4.B.2.a(2)         Access control, including a discretionary access control policy.\n    2   4.B.2.a(4)(d)(3)   Activities at the system console (either physical or logistical consoles),\n                           and other system-level accesses by privileged users.\n    3   4.B.2.a(8)         Identification and Authentication.\n    4   4.B.4.a(13)        Identification and Authentication.\n    5   4.B.4.a(14)(a)     Implementation and support of a trusted communications path between\n                           the user and the Security Support Structure of the desktop for login and\n                           authentication.\n    6   4.B.4.a(14)(b)     In the case of communication between two or more systems (e.g. client-\n                           server architecture), bi-directional authentication between the two\n                           systems.\n    7   4.B.2.a(17)(d)5    Information encrypted using NSA-approved encryption mechanisms\n                           appropriate for the classification of stored data.\n    8   5.B.3.a(7)         Data and software storage integrity protection, including the use of\n                           strong integrity mechanisms (e.g. integrity locks, encryption).\n    9   5.B.3.a(11)(a)     Integrity mechanisms adequate to assure the integrity of all transmitted\n                           information (including labels and security parameters).\n    10 5.B.3.a(11)(b)      Mechanisms to detect or prevent the hijacking of a communication\n                           session (e.g. encrypted communication channels).\n     Source: FCD\n\n     The overall IC requirements and the list of Priority 1 requirements are broadly\n     defined principles that DMS will be required to meet. DCID 6/3 provides the\n     road map of detailed security steps to follow to ensure the DMS directory satisfies\n     the overall IC requirements.\n\n\nDirectory Security\n     DMS Release 3.0, the first release to be considered for implementation in the IC,\n     does not satisfy IC requirements for directory security. If directory security\n     requirements, which are Priority 1 requirements, are not met, the IC will not\n     implement DMS. Since the IC requirements were first established in 1998, DISA\n     has considered different solutions to satisfy directory security requirements. As\n     of November 18, 2002, directory security was the biggest unresolved issue facing\n     DMS.\n\n     The architecture of the DMS directory of user addresses consists of individual,\n     local directories (Directory System Agents [DSAs]) that contain part of the\n     X.500 directory. X.500 is an international specification established for directory\n     services that defines the mechanisms to support geographically dispersed\n     directories (distributed environments) and to control access to the information\n     stored in the directories.\n\n\n                                              14\n\x0c           OASD(C3I) Memorandum. According to the OASD(C3I) memorandum, \xe2\x80\x9cDMS\n           Directory Security Requirements,\xe2\x80\x9d June 26, 2002, effective directory security\n           requires four elements:\n\n                    \xe2\x80\xa2    integrity of the directory,\n\n                    \xe2\x80\xa2    strong identification and authentication of changes to the directory,\n\n                    \xe2\x80\xa2    integrity of directory data, and\n\n                    \xe2\x80\xa2    an ability to provide a comprehensive audit of directory changes.\n\n           The memorandum states that the DISA Virtual Private Network (VPN) solution to\n           directory security, which was in effect at the time of the memorandum, was\n           inadequate. Specifically, under the VPN solution, boundaries were not well\n           protected and identification and authentication within the VPN was weak (for\n           example, passwords used in DMS were inadequately protected).\n\n           Directory Security Functional Content Document. The FCD sets out the\n           shortfalls in the directory architecture of DMS Release 3.0, which features the\n           VPN solution. The FCD also describes the enhancements to be made as part of a\n           phased solution to ensure the DMS directory meets DCID 6/3 requirements.\n\n           The DMS directory architecture consists of X.500 DSAs located in a DISA-\n           operated infrastructure as well as in locally operated Service and Defense agency\n           sites. The FCD states that because the directory architecture is widely dispersed,\n           data is transmitted between DSAs. Data transmissions include writes16 and\n           reads17 of data between DSAs. In addition, other components, such as DMS\n           messaging clients and tools, connect to DSAs to send or retrieve data.\n\n           Despite the fact that DSAs and components are protected by firewalls and there is\n           a global VPN that protects many of the transmissions between DSAs, the FCD\n           notes that much of the directory data is transmitted over unprotected network\n           links, both internal and external. Thus, states the FCD, directory data\n           transmissions are unprotected for significant portions of their travel across the\n           DMS directory architecture.\n\n           According to the FCD, DMS Release 3.0, which includes the VPN solution, does\n           not address concerns about the integrity of the directory. It is not possible to\n           update the DMS directory data or configuration without authorization (gained\n           through inputting an identification and password); however, anyone with access\n           to the network (an internal user) can potentially intercept that information in\n           transit. If the intercepted data includes an administrator\xe2\x80\x99s identification and\n           password combination, the interceptor could potentially gain access to the\n           authorizations held by that administrator. In order to prevent the risk of\n           interception, the FCD states that all transmissions of directory data must be\n           encrypted.\n\n16\n     Directory modifications by authorized system administrators.\n17\n     Users accessing or reading directory data.\n\n\n\n                                                      15\n\x0c            The FCD notes that as long as identifications and passwords are the means of\n            authentication, the DMS directory is vulnerable to unauthorized access if an\n            identification and password are guessed correctly. According to the FCD, the\n            DISA phased solution to address IC DMS directory security requirements will use\n            certificates and a public key infrastructure to authenticate users. That design\n            requires that an imposter gain access to a user\xe2\x80\x99s certificate, the user\xe2\x80\x99s private key,\n            and the personal identification number used to access the private key in order to\n            impersonate that user. Gaining access to all three of those components is much\n            more difficult than simply guessing a user\xe2\x80\x99s identification and password.\n\n\nDevelopment of the DMS Directory\n            DISA was unable to develop a DMS directory architecture that met critical IC\n            directory security requirements. The DISA DMS Program Management Office is\n            responsible for developing a solution that satisfies the IC directory security\n            requirements.\n\n            The IC requirements for directory security have been well known for several\n            years. The IC released its official DMS requirements, which included directory\n            security requirements, on April 29, 1998. In addition, the IC designated directory\n            security requirements as critical items in its July 15, 1998, and January 7, 2000,\n            DMS Release 3.0 Priority 1 requirements documents. IC DMS Management\n            Office officials stated that they continually reminded the DISA DMS Program\n            Management Office about the criticality of developing an effective solution to the\n            directory security problems. In an effort to address the IC directory security\n            requirements, DISA developed different solutions over the years, including a\n            solution based on FORTEZZA,18 a VPN solution, and a phased solution.\n\n            FORTEZZA-Based Solution. In the 1999 through 2001 timeframe, the DISA\n            DMS Program Management Office considered a FORTEZZA-based solution to\n            meet the IC directory security requirements. According to DISA, the\n            FORTEZZA-based solution never made it past the prototype stage because of\n            development concerns, schedule concerns, and cost. A DISA DMS Program\n            Management Office official indicated that the solution was never formally\n            proposed to the IC.\n\n            VPN Solution. The DISA DMS Program Management Office decided in early\n            2001 to extend a planned VPN implementation to also protect the DMS directory,\n            in place of the FORTEZZA-based solution. The VPN solution was the second\n            solution considered to address IC directory requirements, but it was the first\n            proposed to the IC (in early 2002). However, the Defense Intelligence\n            Communication Accreditation Support Team19 and the IC did not view the VPN\n            solution as acceptable. During the DMS 3.0 Milestone III decision review\n\n18\n      FORTEZZA is a product of the National Security Agency Multi-Level Information System Security\n     Initiative program.\n19\n      The Defense Intelligence Communication Accreditation Support Team is responsible for analyzing\n     security issues.\n\n\n\n                                                     16\n\x0c           process, the Defense Intelligence Communication Accreditation Support Team\n           rejected the VPN solution.\n\n           The FCD includes the following major DMS directory security exposures that\n           exist under the DMS Release 3.0 directory architecture, which features the VPN\n           solution:\n                   \xe2\x80\xa2 transmittal of directory modify requests over unprotected links,\n\n                    \xe2\x80\xa2    transmittal of directory data over unprotected links as part of a\n                         replication operation,\n\n                    \xe2\x80\xa2    vulnerability of a user\xe2\x80\x99s identification and password combination to\n                         guessing or interception on unprotected links, and\n\n                    \xe2\x80\xa2    transmittal of directory data over unprotected links as a result of a read\n                         request.\n\n           On June 20, 2002, after the VPN solution had been rejected, the Command,\n           Control, Communications, Computers, Intelligence, Surveillance, and\n           Reconnaissance & Space Systems OIPT tasked the Information Assurance Branch\n           of OASD(C3I) with identifying and clarifying the DoD and IC requirements that\n           would be used to develop a new solution to satisfy IC directory security concerns.\n           The June 26, 2002, OASD(C3I) memorandum established DCID 6/3 as the basis\n           for developing a solution to the directory security problems for both DoD and the\n           IC. The FCD notes that the DISA DMS Program Management Office was to\n           provide a plan of action to develop, test, and implement the directory security\n           requirements established by the OASD(C3I) memorandum.\n\n           Phased Solution. On September 19, 2002, DISA presented the Defense\n           Intelligence Communication Accreditation Support Team with a phased solution\n           to the directory security requirements. The team agreed with the approach and\n           the planned schedule. In a memorandum to OASD(C3I), \xe2\x80\x9cDMS Directory\n           Security Requirements,\xe2\x80\x9d November 1, 2002, DISA provided an overview of its\n           plan to complete the directory security enhancements.\n\n           Phase one of the phased solution will focus on directory security enhancements\n           critical to achieving DMS Transition Hub closure. According to the DISA\n           memorandum, phase one will include directory write operations, protection of\n           remote directory administration operations, and protection of directory security\n           integrity. In the second phase, DISA plans to address strong authentication for\n           directory read operations and encryption of the directory. According to a DISA\n           DMS Program Management Office official, both phases of the solution would\n           employ Secure Sockets Layer20 tunnels with bi-directional authentication using\n           DoD or IC public key infrastructure certificates. Directory data in transmission\n           would be encrypted and before the directory could be modified or read,\n           authentication would be required.\n\n\n\n20\n     Secure Sockets Layer technology is used by digital certificates to encrypt data.\n\n\n\n                                                       17\n\x0cPlanned Actions\n            In order to implement DMS in the IC by the DMS Transition Hub closure date of\n            September 30, 2003, the following actions will need to have been completed:\n                   \xe2\x80\xa2 development, testing, and fielding of phase one of the DISA phased\n                        directory security solution;\n                     \xe2\x80\xa2   modification and testing of existing DMS components affected by the\n                         planned changes to the directory;\n                     \xe2\x80\xa2   testing of the overall DMS architecture for all IC agencies; and\n                     \xe2\x80\xa2   approval by the Director of Central Intelligence to implement DMS.\n            DISA plans to have the phase one solution tested and implemented by the DMS\n            Transition Hub closure date. The directory security shortfalls addressed by phase\n            one are functions that are deemed critical to achieving that closure. As of\n            February 7, 2003, phase one development was ongoing. Phase two, which will\n            complete the directory security enhancements, is projected by DISA to be\n            completed in 2004.\n\n            IC officials indicated that the overall IC DMS architecture would undergo a\n            developmental test phase and an operational test and evaluation in the spring of\n            2003, followed by three additional test phases (including tests of functionality,\n            security, and vulnerability) in June 2003. When the tests are completed, the IC\n            Chief Information Officer will prepare a report summarizing their results. The\n            report will then be presented to the Director of Central Intelligence for review and\n            approval of the entire IC DMS architecture (the core DMS Release 3.0 software\n            product and any supplementary products).\n\n\nConclusion\n            The IC may not have a secure permanent messaging system available to meet its\n            requirements by September 30, 2003. Therefore, IC agencies will have to rely on\n            legacy and existing systems, such as the Joint Worldwide Intelligence\n            Communications System, the IC Bypass,21 and other forms of secure e-mail, to\n            provide messaging services.\n\n            Because DISA had not developed a DMS directory architecture that satisfied IC\n            directory security requirements, a phased solution had to be developed and must\n            be tested and implemented with little room for error prior to the September 30,\n            2003, deadline. If there are any delays in the schedule, the IC may not be ready to\n            implement DMS. However, DISA and the IC have agreed on the solution to\n            address the directory security requirements; therefore, this report makes no\n            recommendations.\n\n21\n     The IC Bypass architecture is composed of legacy switches that provide bi-directional organizational\n     messaging between DMS and legacy users. It is scheduled for closure in September 2004.\n\n\n\n                                                      18\n\x0cAppendix A. Scope and Methodology\n   We performed this audit to determine whether DMS can replace the critical\n   messaging capabilities of AUTODIN.\n\n   To accomplish the audit objective, we:\n\n          \xe2\x80\xa2   visited, contacted, and conducted interviews with officials from\n              OASD(C3I); the Office of the Director, Program Analysis and\n              Evaluation; the Office of the Joint Chiefs of Staff; the Services\xe2\x80\x99 DMS\n              Program offices; selected unified commands (the U.S. Pacific\n              Command, the U.S. European Command, the U.S. Transportation\n              Command, and the U.S. Strategic Command); selected subordinate\n              unified commands (U.S. Forces Japan and U.S. Forces Korea); the Air\n              Force Communications Agency; DISA; and the DISA DMS Program\n              Management Office;\n\n          \xe2\x80\xa2   visited, contacted, and conducted interviews with officials from the IC,\n              including the IC Chief Information Officer, the IC DMS Management\n              Office, the Defense Intelligence Communication Accreditation\n              Support Team, the Central Intelligence Agency, the National Security\n              Agency, the Defense Intelligence Agency, the National\n              Reconnaissance Office, the National Imagery and Mapping Agency,\n              and various intelligence field offices; and\n\n          \xe2\x80\xa2   reviewed various reports for the DMS Program that included cost,\n              schedule, and performance parameters covering FY 1990 through\n              FY 2013.\n\n   We interviewed officials within OASD(C3I) and the Office of the Joint Chiefs of\n   Staff concerning their respective roles in the oversight of the DMS Program. We\n   interviewed personnel from the DISA DMS Program Management Office, Service\n   DMS program offices (Army, Navy, Air Force, and Marine Corps), and unified\n   command DMS program offices (U.S. Pacific Command, U.S. European\n   Command, U.S. Transportation Command, and U.S. Strategic Command) to\n   determine their respective DMS fielding status. During visits to the unified\n   commands, subordinate unified commands, and DISA, we interviewed personnel\n   responsible for operating DMS to determine whether DMS was fulfilling the\n   users\xe2\x80\x99 requirements. We also interviewed officials within DISA to determine the\n   current development and implementation status of DMS.\n\n   We reviewed documentation provided by the Services\xe2\x80\x99 DMS program offices to\n   evaluate the Services\xe2\x80\x99 DMS fielding status and transition plans. We reviewed the\n   DoD Acquisition Regulations (5000 Series) and the OASD(C3I) memorandum,\n   \xe2\x80\x9cPolicy Guidance for the Defense Message System,\xe2\x80\x9d February 19, 1998, to\n   determine roles and responsibilities for the DMS Program. In addition, we\n   reviewed \xe2\x80\x9cChange 2 to Multicommand Required Operational Capability,\xe2\x80\x9d\n   October 1, 1997, to determine the specific capabilities required of DMS.\n\n\n\n\n                                       19\n\x0c    We reviewed and analyzed documentation provided by DISA, including JITC test\n    results (January 2001 and January 2002), the DMS acquisition program baseline\n    (June 2002), life-cycle cost estimate (July 2002), analysis of alternatives (June 14,\n    2002), DMS business process reengineering assessment (June 14, 2002), and\n    benefits analysis (June 24, 2002). We also reviewed documentation provided by\n    the IC, such as \xe2\x80\x9cIntelligence Community (IC) Requirements & Analysis Report,\xe2\x80\x9d\n    July 15, 1998, and \xe2\x80\x9cDMS Release 3.0 IC Priority 1 Requirements Implementation\n    Matrix,\xe2\x80\x9d January 7, 2000, provided by the IC, which lists the most critical\n    requirements of the IC. We reviewed documentation from each IC agency to\n    determine whether a stable DMS architecture was in place. We analyzed\n    documentation provided by DISA and the IC regarding the development of the\n    DMS directory, including the OASD(C3I) memorandum, \xe2\x80\x9cDMS Directory\n    Security Requirements,\xe2\x80\x9d June 26, 2002, and the FCD.\n\n    We performed this audit from April 2002 through March 2003 in accordance with\n    generally accepted government auditing standards. Our scope was limited in that\n    we did not include tests of management controls.\n\n    Use of Computer-Processed Data. We did not use computer-processed data to\n    perform this audit.\n\n    General Accounting Office High-Risk Area. The General Accounting Office\n    has identified several high-risk areas in DoD. This report provides coverage of\n    the DoD Systems Modernization high-risk area.\n\n\nPrior Coverage\n    During the last 5 years, the Inspector General of the Department of Defense\n    (IG DoD) has issued one report discussing the transition from AUTODIN to\n    DMS. Unrestricted IG DoD reports can be accessed at\n    http://www.dodig.osd.mil/audit/reports.\n\nIG DoD\n    IG DoD Report No. 98-150, \xe2\x80\x9cReadiness of the Defense Message System to\n    Replace the Automatic Digital Network,\xe2\x80\x9d June 11, 1998\n\n\n\n\n                                         20\n\x0c               DRAFT REPORT\n\n\n\nAppendix B. Congressional Request\n\n\n\n\n                     21\n\x0cAppendix C. DMS Multicommand Required\n            Operational Capability\n            Requirements\n   1. Connectivity/Interoperability: Allow user to communicate with any other user\n   within the DMS community and provide system users with standard interfaces to\n   other Government agencies, allies, Defense contractors, and other approved\n   activities external to the DMS community.\n   2. Message Delivery: System must deliver messages to the intended recipient(s)\n   with a high degree of certainty. System must notify the sender when unable to\n   deliver a message and provide message accountability and traceability from writer\n   to reader.\n   3. Timely Delivery: System must provide at least two levels of precedence and\n   transmission priorities and at least two levels of importance indicators. System\n   must provide support for changing traffic loads and conditions in time of peace,\n   crisis, and war, such that all messaging characteristics continue to be achieved.\n   4. Confidentiality/Security: System is to provide the capability to process and\n   protect all message traffic, to include unclassified, classified, and sensitive\n   messages at appropriate security levels and compartments.\n   5. Sender Authentication: System must have the capability to unambiguously\n   verify and prove that information marked as originating at a given source did, in\n   fact, originate there.\n   6. Integrity: Information received must be the same as the information sent and\n   the system must provide the user with a selectable verification mechanism.\n   7. Availability/Reliability: System must provide users with a message service on\n   a continuous basis.\n   8. Training: System must be flexible and responsive enough to allow the user to\n   operate DMS without extensive training.\n   9. Identification of Recipients: System must allow sender to unambiguously\n   identify the intended recipient by organization or individual.\n   10. Message Preparation Support: Preparation of messages for transmission must\n   be user-friendly and allow the use of external message editors.\n   11. Storage and Retrieval Support: System must have the capability to support\n   storing messages after delivery to allow retrieval for such purposes as forwarding\n   and resending and to support automated message handling functions.\n   12. Distributions, Determination, and Delivery: System must provide the\n   message originator with the capability to specify special handling and delivery\n   instructions. It also must support single and multiple deliveries, as well as single\n   address lists that result in multiple deliveries.\n\n\n                                        22\n\x0cAppendix D. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\n   Director, Program Analysis and Evaluation\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\nDirector, Defense Procurement and Acquisition Policy\n\nJoint Staff\nDirector, Joint Staff\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\n\nUnified Commands\nCommander, U.S. Northern Command\nCommander, U.S. Southern Command\nCommander, U.S. Joint Forces Command\nCommander, U.S. Pacific Command\n  Commander, U.S. Forces Japan\n  Commander, U.S. Forces Korea\nCommander, U.S. European Command\nCommander, U.S. Central Command\nCommander, U.S. Transportation Command\nCommander, U.S. Special Operations Command\nCommander, U.S. Strategic Command\n\n\n\n\n                                          23\n\x0cOther Defense Organizations\nDirector, Defense Information Systems Agency\nDirector, Defense Intelligence Agency\nDirector, National Imagery and Mapping Agency\nDirector, National Reconnaissance Office\nDirector, National Security Agency\n\nNon-Defense Federal Organizations\nOffice of Management and Budget\nDirector, Central Intelligence Agency\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Subcommittee on Military Readiness, Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency and Financial Management, Committee\n  on Government Reform\nHouse Subcommittee on National Security, Emerging Threats, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology, Information Policy, Intergovernmental Relations,\n  and the Census, Committee on Government Reform\n\n\n\n\n                                        24\n\x0cTeam Members\nThe Readiness and Logistics Support Directorate, Office of the Assistant\nInspector General for Auditing of the Department of Defense prepared this report.\nPersonnel of the Office of the Inspector General of the Department of Defense\nwho contributed to the report are listed below.\n\nShelton R. Young\nKimberley A. Caprio\nDonald A. Bloomer\nLieutenant Colonel Shannon Jones, U.S. Army\nVanessa Springfield\nSuk Y. Webb\nKeith M. Owens\nVelma E. White\nGary L. Queen\nMichael J. Roark\nDeirdre Beal\nApril L. Glasscock\nJoshua H. Hickman\nRobert E. L. Smith\nMandie L. Marr\nElizabeth N. Shifflett\n\x0c'